From 7c55cebd914ac059b9c91a897cb00011b689eb57 Mon Sep 17 00:00:00 2001
From: Robin Krahl <guskraro@student.gu.se>
Date: Mon, 25 Sep 2017 20:55:08 +0000
Subject: bro-script: Add simple baseline implementation

This implementation only logs the (combined) request and response events
that occur within the same connection.  This assumes that a response is
always send over the same connection as a request.  It is unclear
whether this assumption really holds.

This implementation does not yet contain error handling, so if there was
no response for a request, Bro displays an error message.

It also does not contain an interpretation of the values, so if multiple
values are read within one request, they are displayed in the same log
entry.
---
 bro-script/README | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'bro-script/README')

diff --git a/bro-script/README b/bro-script/README
index abfe1ad..03d9158 100644
--- a/bro-script/README
+++ b/bro-script/README
@@ -1,4 +1,8 @@
 This directory contains a baseline implementation of the package parser
 implemented as a Bro script.  A .bro file contains a script that can be
 executed on a Modbus pcap dump.  A .log file contains an example for an
-output file generated by this script.
+output file generated by this script.  By convention, the sample log file
+should contain the first 100 lines of a real log file.
+
+Currently, the scripts only handle the read_holding_registers event.  Other
+events can handled by simply copying and adapting the existing handlers.
-- 
cgit v1.2.1